Al Franken Grandstands Over Meaningless Privacy Policies

from the come-on-al dept

We were just discussing the whole misguided focus on privacy policies. For years, now, there's been this false and silly belief that, if we just required that websites have "privacy policies," it would somehow lead to more privacy. But it's a completely false sense of security. No one reads privacy policies. They're meaningless. And you can put anything in one -- including claiming to freely give up anyone's data to anyone who asks. And yet... the obsession continues. My original post on the subject was due to a silly study about how many mobile apps don't have privacy policies. In true grandstanding fashion, it appears Senator Al Franken has picked up on that report, and is saying that Apple and Google should require privacy policies.

I'm sure he means well, and I'm sure he thinks this is about protecting people's privacy. But it's not. What good does a privacy policy do in this situation? It presents a bunch of policies that no one will read, no one will pay attention to, which the company can change at any time, and which can be written so broadly as to be the opposite of actually protecting anyone's privacy. And yet, if Google and Apple require such things, Franken and others will think they're protecting people's privacy, when they're not. Stop worrying about privacy policies, and start focusing on stuff that actually matters.

Re:

I've been really impressed on his the stand he took on providing Americans with irrevocable and affordable health insurance. He really has a clear and rational platform for that. He's also been a voice for real net neutrality. But he lost my confidence when he supported COICA and PIPA. I'm just glad I didn't vote for him. I'd really be riddled with ambivalence.

Industry self-regulation

Its a problem with industry self-regulation in general. At best you see policies that are better than nothing, but require a certain amount of savvy to benefit from. For junk-mail and telemarketers it involves a variety of obscure and annoying opt out procedures. Similarly, here you can understand what an app will be doing with your information if you are savvy and willing to go through the hassle of reading the policy, but it really won't prevent privacy abuses for most people. And no self-regulation actually could.

In general industry self-regulation of this sort only works when most of the industry is made up of large players who are capable of enforcing meaningful standards amongst themselves - in essence, because enforcement shifts from police/regulators to the industry itself, there must be some sufficiently powerful authority to do the enforcement.

Google and Apple have the capability to force developers to make a disclosure about how the info is used, but as a practical matter the decentralization of App development means they can't enforce meaningful privacy standards without scaling up the review process (which could be costly). You can investigate and monitor a few developers for relatively low cost, but not thousands. So app developers can easily release ridiculous policies or even fail to adhere to their own policies with low risk of punishment.

Why isn't there a EULA protocol?

There are several clauses people don't mind being in a EULA, so why not formalize the whole procedure? Have websites pick from a list of commonly agreed-to privacy stipulations. I should be able to set my EULA preferences in my browser, so that If a cite's EULA doesn't agree with my preferences, then I get a warning explicitly telling me what has changed and if I would like to expand the number of clauses I'm agreeing to. This way you'd only have to read the clauses once, and it provides a way to force websites to be honest with their users if/when a change is made.

Some do read privacy policies

The premise that "no one reads privacy policies" is wrong and unfortunately undermines the entire argument. While only a handful may read privacy policies, it does make a difference -- in fact, they *have* made a difference. I never read FB's policies, but I was alerted to what was there by others who had. A sufficient number of us were alerted and Zuckerberg was forced to back down.

Another reason to require privacy policies is that could potentially be used as a basis for a class action lawsuit, which can happen even if literally no one in the class read the policy. Without a policy, there can be no breach of policy and therefore no actionable claim.

Yet another reason is that it's conceivable that some smart kid might come up with an app that checks privacy policies and alerts the user of potential danger prior to download. That can't happen unless the privacy policies exist.

It's true that one-person app operations have little incentive to adhere to their policies, but the bigger players do and this proposal does help (in a small way) to keep them honest.

I know that it's easier to make generalities about politicians or ad hominem on Franken, but it doesn't bolster anyone's position to completely ignore arguments in favor of this proposal. I'd love to hear about the stuff "that actually matters."